Podcasts

In June, Internet piracy as we know it turns 10.

It was June 1999 when Napster first hit the 'net, providing tech-savvy computer users with unfettered and free access to the largest catalogue of music ever assembled.

Napster was a brilliant piece of software. It allowed Internet users with Napster installed on their systems to "share" their digitised music collections with all and sundry. That meant limitless, free access to digitised recordings normally sold on CD.

Not surprisingly, music industry executives hit the roof. They dispatched the litigation drones and the service was effectively shutdown in July, 2001 after a fierce court battle in California.

Despite the fact the service was found to be illegal and shut down, Napster had already ushered in a cultural shift among those who'd used it. Consumers found the facility to download any song, virtually instantly and for free, addictive.

A few months after Napster bit the dust Apple released the iPod music player and digital music well and truly hit the mainstream. A host of Napster equivalents popped up all over the world to satiate consumers' newfound appetite for massive personal music catalogues.

There was eMule, eDonkey, Kazaa, Limewire, BitTorrent and so on. BitTorrent survived as the strongest standard -- it's technically robust and relies on websites, not a built in feature, to list catalogues of files for "sharing". That means it's hard for the copyright lobby to sue the makers of the software. It's the operators of the index website the copyright cops have in their sights.

The Pirate Bay is one such BitTorrent index, and it lists more than just music. (Note the use of present tense. Despite the conviction of The Pirate Bay Four, the site is still running in another jurisdiction.)

These days piracy is a problem for the movie and television industries as well as the music business. The proliferation of broadband services makes downloading video through peer-to-peer software easy, and piracy is rife.

There have been various approaches to combating illegal file sharing and some have been absurd. For years the recording industry in the USA engaged in a systematic campaign of litigation against individuals suspected of piracy. In one famous case a 12-year-old girl living in public housing in the USA was forced to settle a Recording Industry of America Association (RIAA) law-suit.

A side-effect of this aggressive war on technology was the creation of a counterculture that believed piracy was actually ethical. As much as it scared the willies out of many would-be file sharers, the recording industry's thuggish behaviour made stealing from it feel just.

Today, however, it's harder to see how music piracy can be considered ethical in any sense. It's possible to buy music online through services such as Apple's iTunes Music Store and NineMSN. In addition, many artists choose to release their music on to the Internet as free downloads. They happily bypass the music industry and encourage people to share their tunes.

The music is out there, and there are legitimate ways of getting to it.

This is where it gets interesting. Many Internet users who'd download massive amounts of pirated content would justify their behaviour by insisting they would pay for the content if it were available to them online. Well, now it is.

Many movies are also available online as paid downloads and some TV shows are now made available online for no charge at all. It's all going online.

Tivo has just launched a pay-per-download movie service for its customers through home entertainment chain Blockbuster.

TV networks are also getting in on the action. The Nine Network, for example, has made the current series of Underbelly available for download from its website. It uses a special video format that allows Nine to insert demographically targeted ads into the videos and disable the recordings on the user's machine when the series ends. That way DVD sales are preserved, the content is ad supported and consumers are happy.

This is the future. Television shows, movies and music will all be primarily distributed online. Some will be ad-supported, some will be pay-per download. Once this marketplace has been established, the argument against piracy starts to look like a slam-dunk. High-profile websites like The Pirate Bay will be shut down to preserve the new market, and so they should.

That doesn't mean piracy will completely disappear. It's a part of the rich tapestry of modern life and content producers need to accept it as such, just as it did when video and cassette recorders came along. (Tape-to-tape devices and mix tapes were supposed to be the end of the world back then, remember?)

Small online communities supporting the sharing (or piracy) of niche content (like, old cop shows, for example) will survive -- copyright holders are unlikely to pursue these operators aggressively. But The Pirate Bay was a flagrant smorgasbord of pirated content. Its operators even used to publicly ridicule copyright lawyers seeking to have specific content removed.

They earned the charges against them. Whether or not the state-funded investigation and prosecution in criminal courts was a good use of Swedish taxpayer money is a matter for debate.

The fact is lawsuits like the one against The Pirate Bay are just growing pains. They're a result of the friction between Gen Y types who want it all now and the copyright lobby's embarrassing attempts to litigate its way out of having to alter its business model. But we're getting there.

High profile piracy is on the way out, online video stores are on the way in.

But if you happen to have series three of Deadwood in a digital format, give me your address. I'll pop over with my portable hard drive for a cup of tea.

I doubt we'll get sued.

Patrick Gray is an Australian technology journalist and publisher specialising in IT security. In 2004, he covered the music industry's federal court lawsuit against Kazaa for Wired News. These days he is the host of the Risky Business IT security podcast.

This week's edition of Risky Business is brought to you by Tenable Network Security and hosted by Vigabyte virtual hosting at discounted rates.

We've got a great show this week. Australia's welfare agency, Centrelink, has written its own smart card authentication protocol and it's released it to the public. It's called PLAID and the plan is to have it recognised an ISO standard. It's an extremely ambitious project and Centrelink's smart card architect Glenn Mitchell will be along to talk about it.

We also chat to Tenable Network Security's Marcus Ranum in this week's sponsor interview. We spoke about the recent hysteria around Chinese hackers apparently downloading the plans for America's Join Strike Fighter.

Freelance security dude Adam "Metlstorm" Boileau is this week's news guest.

We'd like to hear your thoughts on PLAID, too. Do you think it's a waste of time and taxpayer money or a masterstroke? Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)... or go to the risky.biz forums.

Australia's welfare agency released the the draft implementation of PLAID last month. It created the new protocol because off-the-shelf solutions didn't match Centrelink's "business needs," Mitchell says.

He now hopes crypto-geeks all over the world will rip into the software, now in its second draft. "We need to make sure it's as secure as we believe it to be," he told the Risky Business podcast. "There may be issues... if anyone does any issues with it then we're more than happy to take feedback on board and see what we can do to review it."

Off the shelf solutions allow contactless smartcards to be identified via passive sniffing, Mitchell says. Even a PKI-based solution will allow an observer to intercept some static information that could be used to identify specific cards.

"[PLAID is] designed for privacy and security," Mitchell says. "For what we're issuing here at Centrelink there's a lot of traffic transmitted from the reader to the card and the card responds through the airwaves. That traffic... possibly if it had static information or determinable information, could identify the card holder."

With PLAID, he says, there's "no way to identify the card involved in the transaction".

While Mitchell recognises "rolling your own" cryptographic systems is risky, he says the use of well established, peer-reviewed cryptographic algorithms within the PLAID protocol will insulate Centrelink from the worst kind of mistakes.

"I completely agree. Rolling your own crypto is definitely not the done thing. History has shown us [it's] always a bad idea," he says. "[But] PLAID isn't a cryptographic algorithm, it's a protocol... it uses two algorithms, the first being the RSA cipher, the second being Rine-Dale."

The agency will roll out an off-the-shelf PKI-based smartcard system before upgrading the cards to use the PLAID protocol when, or if, it becomes ready.

While Mitchell hopes vendors will adopt the new protocol, he says most have shown reluctance to embrace a protocol that isn't recognised as a standard. "Once it is standardised... then we expect to see a little more enthusiasm," he says.

The plan is to have the protocol recognised as an Australian standard and eventually an ISO standard.

Click here to listen to the full interview with Glenn Mitchell in the Risky Business podcast.

It's just another way to get full privileges once you have physical access, but it looks nice and simple and even supports Windows 7 for Chrissakes!

It's free and you can get it here.

This week's show is brought to you by Check Point Software.

This week's show is a bit of a mixed bag. We chatted with 451 group analyst Paul Roberts live from the floor at the RSA conference in San Francisco. Then for something completely different we quizzed Adam Pointon about his adventures with X10 home automation equipment.

Check Point Australia's Steve MacDonald is this week's sponsor guest, and Adam Boileau was this week's news guest.

To answer this week's call-in question, tell us what your experience with DLP software's been over the last year. Call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

Handing down a year in the big house is a strong deterrent against those who may consider doing this type of thing in the future, but is it really the best judicial outcome?

The Swedish cops raided The Pirate Bay a couple of years ago and seized servers, but even this action didn't shut the site down. The investigation was well handled, but surely police resources should be dedicated to more serious crimes.

While intellectual property theft is bad, it is more of a civil tort rather than a wrong against the state. The International Federation of the Phonographic Industry (or IFPI, which has ex-cops working for it) and its regional subsidiaries are very active in pursuing those involved in deliberate infringement of copyright on a commercial scale, and they are effective in doing so.

They conduct their own investigations and have chalked up some impressive wins. And there are lots of good reasons for taking civil action as opposed to criminal prosecution. Civil cases are easier to prove; balance of probabilities v beyond reasonable doubt. They are more in control in a civil trial -- as opposed to the vagaries of the criminal system; and they can gain a better outcome -- a negotiated settlement v drawn out trial.

But this time the assault against piracy went down the criminal route. So in addition to the law enforcement resources required to handle the investigation, significant criminal court resources were tied up in the subsequent trial, and it's not over yet. Even though a decision has been reached, appeals and cross-appeals will play out for years to come.

And what about the sanction? In Australia and many other jurisdictions gaol time is reserved for very serious offences and violent criminals. More people in custody does not equal lower crime rates or lower recidivism rates. Prison should only be used as a means of last resort and there are alternatives to incarceration.

Not only are they cheaper for the taxpayer, but non-custodial sentences for copyright infringement better suit the characteristics of the offenders and their crimes. Better options include home detention (without internet access of course), community service orders and fines.

It's worth noting that despite the massive effort involved in this investigation and trial The Pirate Bay site has been moved abroad and is still active.

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.

This week's podcast is brought to you by Microsoft and hosted, as always, by Vigabyte virtual hosting.

On this week's show we hear from Bryan Sartin of Verizon Business Security Solutions. He'll be discussing that company's 2009 Data Breach Study.

Verizon has a well-established forensics unit and its reports are interesting. This study is to the infosec industry what black box reports are to the aviation industry; a post mortem examination of what went wrong.

We also check in with Stuart Strathdee, Microsoft Australia's Strategic Security Advisor in this week's sponsor interview. He'll be chatting about Microsoft's own Security Intelligence Report. There's some really surprising results to come out of that one.

Paul Craig is this week's news guest.

The report is essential reading; the post-mortem analysis of data breaches is to the information security industry what black-box flight recorder information is to the aviation industry. By understanding where things have gone wrong, we can avoid repeating the mistakes of some of our peers.

A phone interview with the company's director of investigative response, Bryan Sartin, has been recorded and will be included in Risky Business #104, which is due to be published in the next 24 hours.

In the mean time, the 52-page report can be found in pdf form here. It's a must read for anyone working in enterprise security.

The report makes some fairly sweeping claims about dataloss trends. Take them with a grain of salt. The statistics the company is presenting here are cobbled together from its investigation of approximately 100 dataloss incidents.

When forming your own opinion about the information presented, keep in mind the company can only put forward statistics drawn from jobs it worked on. There are many providers of forensic services. A big uptick in the number of breached records Verizon has investigated doesn't necessarily mean there's been more breaches; it could just mean the company's forensics department has grown.

That said, a report containing this much gory detail on dataloss incidents is still valuable to anyone charged with securing enterprise data.

DISCLAIMER: The following text came from a press release issued by Verizon Business:

The financial Industry accounted for 93 Percent of incidents investigated by the company, which claims most of the breaches reported to it were avoidable.

The study, based on data analysed from Verizon Business' caseload of 90 confirmed breaches throughout 2008, revealed corporations fell victim to some of the largest cybercrimes ever during 2008.

Nine out of 10 breaches were considered avoidable if security basics had been followed. Most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.

Similar to the first study's findings, the latest study found that highly sophisticated attacks account for only 17 percent of breaches. However, these relatively few cases accounted for 95 percent of the total records breached -proving that motivated hackers know where and what to target.

Key Findings of the 2009 Report:

• Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
• Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
• In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organisations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.
• Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.
• Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
• Being PCI-compliant is critically important. A staggering 81 percent of affected organisations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.

All enterprises must eventually accept that security is just one more part of software or system development lifecycle. Both designs and implementations must be reviewed, developers need security training and infosec teams need the power to veto go-live dates.

Lots of businesses have arrived at this point. But what often happens as a result is security gets siloed per project. The project scope determines where security people will see, where there is budget, and critically, where the incentive to fix the problems lies.

This means that the way that project siloes interact -- the reefs between scope islands -- are never in scope. And as we all know, scope is for project managers, auditors and security consultants. Hackers don't care about your scope.

Let's look at how scoping can create some pretty peverse outcomes.

So I owned this bank system. Hard. Pentesting externally, I managed to go from no auth to complete customer account compromise. I could reset passwords, transfer money, whatever. Pretty bad as customer facing banking system deployment projects go, right?

I head to the wrapup meeting, held in a typical bank meeting room. You know the type -- poorly cleaned motorised-printy whiteboard that no longer motors, acoustic tiled ceiling the colour of institutional gravy, one glass wall out into the post-carpet-cubicle humanist refurbishment.

The cubicles are slightly curvy now, less beige, lower and more modular and hip, but still festooned with the trademark flotsam of the corporate slum; a thousand colour laser printed pictures of funny cats, babies, daughters with ponies, movie posters with someone's head photoshopped -- no hang on, MS paint.exe'd -- on and captioned with some tepid project in-joke.

This is the meeting where I explain what's going to be in the report, discuss the technical remediation options with the developers and the impact on project go-live signoff with the project manager. Normally what you're aiming for here is dismissive-defensive-disbelief-dawninghorror from the developers, and something approaching open weeping from the PM. A grimace is good, but actual sobbing is better.

I lay it out for them. A few technical details for the nerdy types, some screenshots on my laptop for the PM, then the chill starts to set in. The PM is ashen, the developers in the final d-stage. Beautifully orchestrated meeting-fu, Metl. They're weeping from the palm of my hand. So much for that project deadline, now a zeppelin destined to miss its mooring post in the dark night sky.

"Oh, god, there's no way we're going to be able to go live Friday week," the PM cries. "This is a disaster; Bob's HVT project depends on, oh, and the entire New SSI project... How are we going to..."

But I too am human and I misjudge my final salvo; I let my guard down, falling for the anthropomorphism the marketing team work so hard to erect: That the corporation is a caring, living organism, in verdant symbiosis with its adoring customers.

"I, uh, think this affects the live system too," I say.

"Whaaaat?"

"Yeah. I didn't test it obviously, but this bug is due to the way your new system interacts with the backend DollaMasta2000. If anything, it's a business rules bug, where your ..."

I trail off. The project manager has a rictus grin on her face. All of a sudden I feel unsure of myself, like I've just made some awful faux pas. I feel like a turd in a punchbowl.

"Are you saying," she begins slowly, "that this affects the production system? That you could do this to anyone's real accounts? My account?"

Oh, phew, I think. She does get it after all. "Yes!" I gush, enthusiasm at my own cleverness replacing the awkwardness of a moment before. "I can own anyone's account, this is pretty bad."

"OH THANK CHRIST FOR THAT!"

I blink.

"LEGACY ISSUE! OUT OF SCOPE! DOESNT AFFECT OUR GOLIVE! NOT EVEN IN OUR BUDGET! OOOOH YEAH!"

There's a big, shit-eating grin on her face. You. have. got. to. be. kidding, right Metl?

No, I'm not. I'm serious. This is how it went down. I'm not making this up.

That's what "scoping" is doing to your enterprise.

So here's my one line take-away for this week:

Hackers don't give a shit about your scope.

They couldn't care less if that legacy HPUX box wasn't in scope when you did the Northern-Data-Centre Refresh Project. They don't care that layer-2 segregation is implemented by one team, but that layer-3 filtering is implemented by another, and the two don't talk. They don't care that all your corporate laptops are locked down as hell, because the CEO is surfin' on his wireless toobs at the airport business class lounge and just got owned.

The fundamental asymmetry of this industry wins - the hacker only has to find one easy way in, and that, I guarantee you, will be in the place that was never in scope.

Project-based security is important for the long-term health of your business, but don't let it starve out real, holistic, enterprise-wise security goals. Don't write off business-targeted, no-holds-barred pentesting as 'scaremongering'; don't get hostile because the pen-testers waltzed around your network popping shells and illuminating your failings with all the stark horror of a blacklight in a Vegas hotel room. It's our job, and some of us are good at it.

Sometimes you need to let us own you, hard, brutally and for real. To show you how easy it is, to gouge out real business impact, to shred all the garish crepe paper disguising the cracks around your delusional scoping. You need to be re-focussed, brought back down to earth, out of your politics and scoping and business silo structure, because the truth here is that no one outside of your organisation gives a shit, and least of all the dude that just owned you.

Metlstorm is a New Zealand-based freelance security consultant. He's created several tools including Hai2IVR, Winlockpwn and SSH Jack. He's also an organiser of the annual Kiwicon security conference in Wellington, New Zealand.

Under this Act, lawmakers are seeking to impose requirements on ISPs and wireless network operators to keep records about the identities of their users.

Under the law, network operators would have to retain the network addresses assigned to any users for a minimum of two years, information which law enforcement could use to track down criminals.

But the broad language of the Bill, which would apply to any "provider of an electronic communication service," could mean that coffee shops, airport lounges and even individual households would be required to keep detailed logs, and that just isn't going to happen.

The Bill is well intentioned but creates requirements that could never be enforced.

ISPs keep logs anyway -- they have to for billing purposes. All they need to do to comply with this new law is buy a few terabytes of storage, tweak a couple of settings and Bob's their mother's brother.

As for non-ISP electronic communications providers, any logging requirement placed on them wouldn't just involve storage space but also the management, development and security of the collected data.

The proposed US Bill suggests wireless networks should have capture and retention of logs. That's great in theory, but not all wireless devices have this ability. Sure, products like Microsoft Wireless Monitor allows network operators to view details about access points and wireless clients. But this is information is primarily designed to troubleshoot wireless services.

Then there are jurisdictional issues. Transactional data collected from travellers at an international airport, for example, is next to useless unless there are formal mutual legal assistance treaties between the country where the data is being retained and the country where the suspect is located. They may have been using the airport facility during their vacation.

Further, who is going to monitor compliance? All CBDs are littered with wireless networks, some public, some not. Identifying the owner of the network is one thing, finding someone to hold responsible is another. And how would such directives be enforced? Civil action would seem the most logical against those companies that refuse to comply. But this is costly, time consuming and just not very likely.

The questions pertaining to online data collection are global. While regulators bear the ultimate responsibility of ensuring markets work, consumers and businesses must be involved in the debate to determine acceptable data collection and retention standards.

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.